From owner-freebsd-security@FreeBSD.ORG Fri Feb 27 14:18:42 2009 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C26461065676 for ; Fri, 27 Feb 2009 14:18:42 +0000 (UTC) (envelope-from ivangrvr299@gmail.com) Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.31]) by mx1.freebsd.org (Postfix) with ESMTP id 7C4558FC1E for ; Fri, 27 Feb 2009 14:18:42 +0000 (UTC) (envelope-from ivangrvr299@gmail.com) Received: by yw-out-2324.google.com with SMTP id 2so751625ywt.13 for ; Fri, 27 Feb 2009 06:18:42 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=ZnWIafe2Z2ctsRkt1G6U2TlmIQt1pnM+tMhVjCUZy/A=; b=mVRWCpU25eFWeXv/tPRBo1kqL1KfTt9i/v5PHV6uqy2rXRaxY3+nhsslRlOfu+t2HQ 1EqQAwoBkNbcjiKVA1ZFaFmxG4GvN0CDYnsXLSpYKl5rO0r1ekMDmldS8Ntt7kkvWnzS O/ypLR6vvNa2P/ntb5NZspY2MWF8bCyraVlwE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=rRUIEMsXYbmrG+EI+hW4JywN5Piyj2OTms8/hzUYui33hKTioXqhTkIpTPlPQBHW5W WlEE99smy705P8n1dvtUFWY1RwnQt3mcnIe8xyVsuNrqsvve5PHuP6Pv1326z4Pc16jP 1ImJcnLCJoviH2MKzYtq2w4yzXjU+I2cJLMzM= MIME-Version: 1.0 Received: by 10.231.20.3 with SMTP id d3mr2370513ibb.18.1235744321807; Fri, 27 Feb 2009 06:18:41 -0800 (PST) In-Reply-To: <86eixnfwr2.fsf@ds4.des.no> References: <670f29e20902240717m49f53bfx67166c151c01384b@mail.gmail.com> <86eixnfwr2.fsf@ds4.des.no> Date: Fri, 27 Feb 2009 19:48:41 +0530 Message-ID: <670f29e20902270618m23eed4acg15a8a3e7b43fe327@mail.gmail.com> From: Ivan Grover To: =?ISO-8859-1?Q?Dag=2DErling_Sm=F8rgrav?= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: PAM rules inside pam.d X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 27 Feb 2009 14:18:43 -0000 Hi, Iam sorry my observation was wrong. I debugged the problem, it looks strange, these are my findings : I have my PAM rules for my service as auth required /lib/security/pam_securetty.so auth required pam_stack.so service=3Dsystem-auth auth required /lib/security/pam_nologin.so The pam_unix module returns authentication failure from pam_unix.so from pam_stack.so , hence the control reaches pam_nologin.so. The same rules work well with telnet/ftp , but fails for my service I have checked the username, password passed to PAM module by changing the sources of pam_nologin.so, they are proper. I didnt had sources for pam_unix, so iam not able to detect the exact problem. My suspect is that my application using my PAM service might have done some fd leaks or any other problem. But the max fds open by my application are 185 which is still below max limit(OPEN_MAX) Restarting the application resolves the problem and iam able to authenticat= e user can anyone help me what could be the problem. Thanks and Best Regards, On Wed, Feb 25, 2009 at 1:11 AM, Dag-Erling Sm=F8rgrav wrote: > Ivan Grover writes: > > Now, after upgrading PAM modules (pam_unix.so, pam_stack.so..) and > > library [...] > > Upgrading from what to what? > > Have you tried the standard debugging procedure? > > DES > -- > Dag-Erling Sm=F8rgrav - des@des.no >